diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 2dfc05ba..2b6c96e7 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,127 +1,3 @@ -# Contributor Covenant Code of Conduct +## Code of Conduct -## Our Pledge - -We as members, contributors, and leaders pledge to make participation in our -community a harassment-free experience for everyone, regardless of age, body -size, visible or invisible disability, ethnicity, sex characteristics, gender -identity and expression, level of experience, education, socio-economic status, -nationality, personal appearance, race, religion, or sexual identity -and orientation. - -We pledge to act and interact in ways that contribute to an open, welcoming, -diverse, inclusive, and healthy community. - -## Our Standards - -Examples of behavior that contributes to a positive environment for our -community include: - -* Demonstrating empathy and kindness toward other people -* Being respectful of differing opinions, viewpoints, and experiences -* Giving and gracefully accepting constructive feedback -* Accepting responsibility and apologizing to those affected by our mistakes, - and learning from the experience -* Focusing on what is best not just for us as individuals, but for the - overall community - -Examples of unacceptable behavior include: - -* The use of sexualized language or imagery, and sexual attention or - advances of any kind -* Trolling, insulting or derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or email - address, without their explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Enforcement Responsibilities - -Community leaders are responsible for clarifying and enforcing our standards of -acceptable behavior and will take appropriate and fair corrective action in -response to any behavior that they deem inappropriate, threatening, offensive, -or harmful. - -Community leaders have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are -not aligned to this Code of Conduct, and will communicate reasons for moderation -decisions when appropriate. - -## Scope - -This Code of Conduct applies within all community spaces, and also applies when -an individual is officially representing the community in public spaces. -Examples of representing our community include using an official e-mail address, -posting via an official social media account, or acting as an appointed -representative at an online or offline event. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported to the community leaders responsible for enforcement [here](mailto:ben@armosec.io). -All complaints will be reviewed and investigated promptly and fairly. - -All community leaders are obligated to respect the privacy and security of the -reporter of any incident. - -## Enforcement Guidelines - -Community leaders will follow these Community Impact Guidelines in determining -the consequences for any action they deem in violation of this Code of Conduct: - -### 1. Correction - -**Community Impact**: Use of inappropriate language or other behavior deemed -unprofessional or unwelcome in the community. - -**Consequence**: A private, written warning from community leaders, providing -clarity around the nature of the violation and an explanation of why the -behavior was inappropriate. A public apology may be requested. - -### 2. Warning - -**Community Impact**: A violation through a single incident or series -of actions. - -**Consequence**: A warning with consequences for continued behavior. No -interaction with the people involved, including unsolicited interaction with -those enforcing the Code of Conduct, for a specified period of time. This -includes avoiding interactions in community spaces as well as external channels -like social media. Violating these terms may lead to a temporary or -permanent ban. - -### 3. Temporary Ban - -**Community Impact**: A serious violation of community standards, including -sustained inappropriate behavior. - -**Consequence**: A temporary ban from any sort of interaction or public -communication with the community for a specified period of time. No public or -private interaction with the people involved, including unsolicited interaction -with those enforcing the Code of Conduct, is allowed during this period. -Violating these terms may lead to a permanent ban. - -### 4. Permanent Ban - -**Community Impact**: Demonstrating a pattern of violation of community -standards, including sustained inappropriate behavior, harassment of an -individual, or aggression toward or disparagement of classes of individuals. - -**Consequence**: A permanent ban from any sort of public interaction within -the community. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], -version 2.0, available at -https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. - -Community Impact Guidelines were inspired by [Mozilla's code of conduct -enforcement ladder](https://github.com/mozilla/diversity). - -[homepage]: https://www.contributor-covenant.org - -For answers to common questions about this code of conduct, see the FAQ at -https://www.contributor-covenant.org/faq. Translations are available at -https://www.contributor-covenant.org/translations. +The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 9b21e6d8..54a679da 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -1,10 +1,11 @@ # Maintainers -The following table lists Kubescape project maintainers +The following table lists the Kubescape project maintainers: -| Name | GitHub | Email | Organization | Role | Added/Renewed On | -| --- | --- | --- | --- | --- | --- | -| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | ben@armosec.io | [ARMO](https://www.armosec.io/) | VP R&D | 2021-09-01 | -| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | rrefael@armosec.io | [ARMO](https://www.armosec.io/) | Team Leader | 2021-10-11 | -| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | dwertent@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape CLI Developer | 2021-09-01 | -| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | bbrandwine@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape SaaS Developer | 2021-09-01 | +| Name | GitHub | Organization | Added/Renewed On | +| --- | --- | --- | --- | +| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 | +| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | [ARMO](https://www.armosec.io/) | 2021-09-01 | +| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [ARMO](https://www.armosec.io/) | 2022-10-31 | diff --git a/cmd/scan/framework.go b/cmd/scan/framework.go index edb3bb55..ba11a3ff 100644 --- a/cmd/scan/framework.go +++ b/cmd/scan/framework.go @@ -16,7 +16,6 @@ import ( "github.com/kubescape/kubescape/v2/core/cautils" "github.com/kubescape/kubescape/v2/core/meta" - "github.com/enescakir/emoji" "github.com/spf13/cobra" ) @@ -113,7 +112,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm logger.L().Fatal(err.Error()) } if !scanInfo.VerboseMode { - cautils.SimpleDisplay(os.Stderr, "%s Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective) + cautils.SimpleDisplay(os.Stderr, "Run with '--verbose'/'-v' flag for detailed resources view\n\n") } if results.GetRiskScore() > float32(scanInfo.FailThreshold) { logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold))) diff --git a/core/pkg/hostsensorutils/hostsensor.yaml b/core/pkg/hostsensorutils/hostsensor.yaml index d59596ae..4ad7e84d 100644 --- a/core/pkg/hostsensorutils/hostsensor.yaml +++ b/core/pkg/hostsensorutils/hostsensor.yaml @@ -38,6 +38,7 @@ spec: - name: host-sensor image: quay.io/kubescape/host-scanner:v1.0.39 securityContext: + allowPrivilegeEscalation: true privileged: true readOnlyRootFilesystem: true procMount: Unmasked diff --git a/core/pkg/hostsensorutils/hostsensorworkerpool.go b/core/pkg/hostsensorutils/hostsensorworkerpool.go index 7278d65f..ded788e5 100644 --- a/core/pkg/hostsensorutils/hostsensorworkerpool.go +++ b/core/pkg/hostsensorutils/hostsensorworkerpool.go @@ -47,10 +47,7 @@ func (wp *workerPool) hostSensorWorker(hsh *HostSensorHandler, wg *sync.WaitGrou for job := range wp.jobs { hostSensorDataEnvelope, err := hsh.getResourcesFromPod(job.podName, job.nodeName, job.requestKind, job.path) if err != nil { - // TODO: Add to the condition also cloud provider (as in main cloud providers there is no access to control plane) - if job.path != "/controlPlaneInfo" { - logger.L().Error("failed to get data", helpers.String("path", job.path), helpers.String("podName", job.podName), helpers.Error(err)) - } + logger.L().Error("failed to get data", helpers.String("path", job.path), helpers.String("podName", job.podName), helpers.Error(err)) } else { wp.results <- hostSensorDataEnvelope } diff --git a/core/pkg/policyhandler/handlepullpolicies.go b/core/pkg/policyhandler/handlepullpolicies.go index 63b57926..95a4df3b 100644 --- a/core/pkg/policyhandler/handlepullpolicies.go +++ b/core/pkg/policyhandler/handlepullpolicies.go @@ -60,9 +60,11 @@ func (policyHandler *PolicyHandler) getScanPolicies(policyIdentifier []cautils.P if err != nil { return frameworks, policyDownloadError(err) } + if err := validateFramework(receivedFramework); err != nil { + return frameworks, err + } if receivedFramework != nil { frameworks = append(frameworks, *receivedFramework) - cache := getter.GetDefaultPath(rule.Name + ".json") if err := getter.SaveInFile(receivedFramework, cache); err != nil { logger.L().Warning("failed to cache file", helpers.String("file", cache), helpers.Error(err)) diff --git a/core/pkg/policyhandler/handlepullpolicies_test.go b/core/pkg/policyhandler/handlepullpolicies_test.go deleted file mode 100644 index d1118182..00000000 --- a/core/pkg/policyhandler/handlepullpolicies_test.go +++ /dev/null @@ -1,23 +0,0 @@ -package policyhandler - -// func TestGetPoliciesFromBackend(t *testing.T) { -// notification := reporthandling.PolicyNotification{ -// Rules: []reporthandling.PolicyIdentifier{ -// { -// Kind: reporthandling.KindFramework, -// Name: "mitretest", -// }, -// }, -// } -// // os.Setenv(cacli., "") -// ph := PolicyHandler{ -// cacli: &cacli.Cacli{}, -// } -// f, err := ph.GetPoliciesFromBackend(¬ification) -// if err != nil { -// t.Error(err) -// } -// if len(f) == 0 { -// t.Errorf("empty") -// } -// } diff --git a/core/pkg/policyhandler/handlepullpoliciesutils.go b/core/pkg/policyhandler/handlepullpoliciesutils.go index 4e109e8a..551f19d5 100644 --- a/core/pkg/policyhandler/handlepullpoliciesutils.go +++ b/core/pkg/policyhandler/handlepullpoliciesutils.go @@ -5,6 +5,7 @@ import ( "strings" apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1" + "github.com/kubescape/opa-utils/reporthandling" "github.com/kubescape/kubescape/v2/core/cautils" ) @@ -21,3 +22,16 @@ func policyDownloadError(err error) error { } return err } + +// validate the framework +func validateFramework(framework *reporthandling.Framework) error { + if framework == nil { + return fmt.Errorf("received empty framework") + } + + // validate the controls are not empty + if len(framework.Controls) == 0 { + return fmt.Errorf("failed to load controls for framework: %s: empty list of controls", framework.Name) + } + return nil +} diff --git a/core/pkg/policyhandler/handlepullpoliciesutils_test.go b/core/pkg/policyhandler/handlepullpoliciesutils_test.go new file mode 100644 index 00000000..453ee5ac --- /dev/null +++ b/core/pkg/policyhandler/handlepullpoliciesutils_test.go @@ -0,0 +1,48 @@ +package policyhandler + +import ( + "testing" + + "github.com/kubescape/opa-utils/reporthandling" +) + +func Test_validateFramework(t *testing.T) { + type args struct { + framework *reporthandling.Framework + } + tests := []struct { + name string + args args + wantErr bool + }{ + { + name: "empty framework", + args: args{ + framework: &reporthandling.Framework{ + Controls: []reporthandling.Control{}, + }, + }, + wantErr: true, + }, + { + name: "none empty framework", + args: args{ + framework: &reporthandling.Framework{ + Controls: []reporthandling.Control{ + { + ControlID: "c-0001", + }, + }, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := validateFramework(tt.args.framework); (err != nil) != tt.wantErr { + t.Errorf("validateControls() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/core/pkg/resourcehandler/k8sresources.go b/core/pkg/resourcehandler/k8sresources.go index e1c42eab..72406c96 100644 --- a/core/pkg/resourcehandler/k8sresources.go +++ b/core/pkg/resourcehandler/k8sresources.go @@ -88,7 +88,6 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio logger.L().Info("Requesting images vulnerabilities results") cautils.StartSpinner() if err := k8sHandler.registryAdaptors.collectImagesVulnerabilities(k8sResourcesMap, allResources, ksResourceMap); err != nil { - logger.L().Warning("failed to collect image vulnerabilities", helpers.Error(err), helpers.String("Read more here", "https://hub.armosec.io/docs/configuration-of-image-vulnerabilities")) cautils.SetInfoMapForResources(fmt.Sprintf("failed to pull image scanning data: %s. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities", err.Error()), imgVulnResources, sessionObj.InfoMap) } else { if isEmptyImgVulns(*ksResourceMap) { diff --git a/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go b/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go index fc807904..eb08980b 100644 --- a/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go +++ b/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go @@ -142,7 +142,7 @@ func (report *ReportEventReceiver) setResults(reportObj *reporthandlingv2.Postur // set result.RawResource resourceID := v.GetResourceID() if _, ok := allResources[resourceID]; !ok { - return fmt.Errorf("expected to find raw resource object for '%s'", resourceID) + continue } resource := reporthandling.NewResourceIMetadata(allResources[resourceID]) if r, ok := resourcesSource[resourceID]; ok { diff --git a/install.sh b/install.sh index 213860c9..9b180dd7 100755 --- a/install.sh +++ b/install.sh @@ -66,6 +66,6 @@ echo -e "\033[0m" $KUBESCAPE_EXEC version echo -echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan --verbose" +echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan" echo -e "\033[0m"